Cybersecurity

The Top Five Cyber Policy Developments of 2014: A Year of Corporate Cyberattacks

Over the next few days, Net Politics will countdown the top five developments in cyber policy of 2014. Each policy event will have its own post, explaining what happened, what it all means, and its impact on cyber policy in 2015. In this post, corporate cyberattacks. Sharone Tobias is the research associate for Asia studies and the Digital and Cyberspace Policy program at the Council on Foreign Relations. While Sony may have dominated the news towards the end of 2014, three major cyberattacks against U.S. companies shook the corporate world earlier this year: Target opened the year by announcing in January that hackers had stolen personal information from an estimated 110 million accounts; hackers accessed approximately 83 million J.P. Morgan Chase accounts in August; and Home Depot confirmed that its payment system was breached in September, compromising an estimated 56 million accounts. Here’s a look back at the details of each of those attacks, and how they affected the conversation about cybersecurity in the United States and the corporate sector. Target Target announced in January that hackers had stolen data—including names, mailing addresses, phone numbers, and email addresses—from over 70 million shoppers, and the credit card information of 40 million shoppers. 1 to 3 million of those credit cards were then sold on the black market, raising an estimated $53.7 million for the hackers. The attack caused enormous damage to Target’s reputation and stock prices, resulting in the resignation of Beth M. Jacob, the company’s most senior technology officer in February, and Gregg Steinhafel, CEO and chairman of the board, in May. Target executives were summoned to appear before congressional panels about data privacy, and executives admitted that they had missed certain warning signs about security gaps. Experts say that Target left itself particularly vulnerable to attack, ignoring memos circulated by the federal government and research firms suggesting that new malware was targeting Target’s payment system, allowed too much access to vendors, and did not do enough to wall its payment system off from the rest of its network. The attack cost Target $148 million, and cost financial institutions $200 million, according to the Consumer Bankers Association and the Credit Union National Association. The company announced a timetable to move its debit and credit cards to a chip-and-pin system, widely used in Europe but still rare in the United States. The chip-and-pin system is considered more secure than credit cards that rely on magnetic strips, and the move will cost Target $100 million. The company also spent $61 million in anti-breach technology in the months following the cyberattack, and profits fell 46 percent in the fourth quarter of 2013. J.P. Morgan Chase In August, the networks of several banks, most prominently J.P. Morgan Chase, were infiltrated by a network of hackers who accessed checking and savings account information. The attack went unnoticed for two months over the summer. J.P. Morgan estimated that 76 million households and 7 million small businesses accounts were affected by the attack, although hackers weren’t able to access the most private data like Social Security or account numbers. Experts believe that Russian criminals were behind the attack. However, the origin of the attack is still far from settled, though the FBI officially ruled out the Russian government as a perpetrator. Ultimately, though the infiltration was one of the largest known cyberattacks against a financial institution, the J.P. Morgan attack did not cost consumers much money. The data accessed was more related to J.P. Morgan’s marketing functions than banking functions. Even so, that kind of information allows hackers to write more effective spearphishing emails to trick Chase customers into giving out information. However, a recent report argues that the despite J.P. Morgan’s $250 million budget on cybersecurity, hackers were able to access the company’s servers because the security team had neglected to add two-factor authentication, an extra layer of security used by most big banks. This oversight might explain why other institutions targeted by the same hackers did not suffer nearly as large of an intrusion. Home Depot Home Depot confirmed in September that they had been infiltrated by hackers since April, admitting that 56 million accounts were put at risk, more than Target’s 40 million accounts. The company expected to pay $62 million to cover the costs of the attack, including legal fees and overtime for staff, and causing an estimated $90 million in costs for banks to replace 7.4 million debt and credit cards. Unnamed staff within Home Depot said that the company’s information security department struggled with high turnover and old software. The team resisted using the Endpoint security feature of Symantec’s cybersecurity program, a feature that tracks and alerts system administrators of suspicious activity, despite the urging of security consultants. The company also did not encrypt customer card data until September 2014. The Takeaway Target, J.P. Morgan, and Home Depot were only three of many victims of cyberattacks in 2014; Staples, Healthcare.gov, Neiman Marcus, and many others also suffered cyberattacks that left customers vulnerable. Several similarities stand out between these and the Sony attack. First, in these attacks, the division of responsibility for the costs and defense is not clear. Even in the case of Home Depot and Target, where lapses in security were mainly the fault of retailers, financial institutions bore the brunt of the cost. Second, the attacks show the necessity of protecting the weakest links and access points, such as through vendor networks. Finally, and perhaps most surprisingly, customers just don’t seem to care that much about the security of their data—only a few months after these attacks, stock prices and sales returned to normal at Home Depot and Target.

Post by Guest Blogger for Net Politics December 30, 2014 Net Politics

China

The Top Five Cyber Policy Developments of 2014: China’s Great Leap Forward

Over the next few days, Net Politics will countdown the top five developments in cyber policy of 2014. Each policy event will have its own post, explaining what happened, what it all means, and its impact on cyber policy in 2015. In this post, China’s great leap forward in cyber policy making. 2014 was a year of major progress on the cyber policy front for China. Beijing reorganized and revitalized its policy making institutions at home, and it moved to shape the international agenda on the norms of behavior for cyberspace. In February, China announced the formation of new leading small group on network security and informatization, with Xi Jinping as its head. The creation of the group was important for at least three reasons. First, it was a signal of the growing importance of cyber to China’s strategic, political, economic, diplomatic, and military interests. Or in the phrasing of President Xi, "No information security means no national security, no informatization means no modernization." Second, it was an effort to bring greater coherence and coordination to cyber policy making. Five different ministries and bureaus—the Ministry of Public Security, State Encryption Bureau, State Secrets Bureau, Ministry of State Security, Ministry of Industry and Information Technology—plus the People’s Liberation Army have a say in cybersecurity policy. The new group should be able to define priorities and resolve internal conflicts. Third, it was part of Xi’s efforts to consolidate power in his own hands. In addition to the network security group, Xi has established and leads a Central Leading Group for Overall Reform and a new national security commission. In November, China hosted the World Internet Conference. The conference was not free of mistakes; there was, for example, a rather ham-handed effort to slip a final declaration under the doors of the delegates after midnight right before the conference closed. Yet the meeting in Wuzhen was a clear signal that China intends to take a more active role in defining the agenda for Internet governance. In particular, Beijing has stressed the norm of Internet sovereignty, the idea that every state has the right to make rules and regulations covering cyberspace, and that right should be recognized internationally. In other words, the global Internet should be subject to local controls. This confidence and assertiveness were also on display when Lu Wei, head of China’s Cyberspace Administration, visited the United States just a few weeks after the conference ended. Lu spoke in Washington, but the highlight, at least for the Chinese press, was his visit to the West Coast. Lu rode in a driverless car at Google, met with Jeff Bezos of Amazon and Tim Cook of Apple, and visited Facebook, where Mark Zuckerberg told him he had read and shared copies of Xi Jinping’s book, The Governance of China. It remains to be seen whether China can convert these aspirations into realities in 2015. At home, it will have to move quickly to improve domestic cybersecurity. On the international stage, it will have to convert its new found activism into concrete policy recommendations. Still, the objective is clear: China intends on become a strong cyber power.

Post by Adam Segal December 29, 2014 Net Politics

Cyber Week in Review: December 26, 2014

Here is a quick round-up of this week’s technology headlines and related stories you may have missed: The Sony hacking story continued to unfold. After President Obama said that the United States would respond proportionally to North Korean intrusion into Sony’s networks in a time and manner of its choosing, North Korea unexpectedly lost all Internet connection. While some commentators drew a causal link between both events, there are a number of other reasons that could explain the outage. Taking a step back from the whole Sony incident, David Sanger at the New York Times examines the challenges facing the United States when responding to state-backed cyber activity. The German Federal Office for Information Security (BSI) announced that hackers infiltrated the networks of a German steel mill and caused the damage to the mill’s blast furnace. The BSI said the hack could have been avoided had the industrial control systems that controlled the furnace not been connected to the Internet. Facebook was criticized in Russia for removing a page on its website announcing a protest in Moscow organized by Alex Navalny, an opposition activist currently under house arrest. Facebook took down the page at the request of Roskomnadzor, Russia’s Internet regulator, which argued that it promoted an "unsanctioned mass event." Since Vladimir Putin’s return to the presidency in 2012, Russia has tightened its controls on online expression. Following up on a story I mentioned two weeks ago, the Irish government backed Microsoft’s claim that the United States cannot compel the software giant to hand over data held on its servers in Ireland without first seeking the Irish government’s permission. Microsoft, with the support of many of the IT industry and now the Irish government, is appealing a July ruling from a U.S. court which compelled it to provide data related to a drug case despite the fact that the data is held outside of the United States.

Post by Adam Segal December 26, 2014 Net Politics

Cybersecurity

Motohiro Tsuchiya: Japan is Ready for an International Alliance Against Cyber Threats

This is a guest post by Motohiro Tsuchiya, a professor at Keio University, and a visiting scholar at the East-West Center. Japan has watched the developing story of the cyber attacks against Sony Pictures Entertainment with great interest and a high degree of shock. While the company is American, Sony has Japanese origins and many Japanese citizens view the hack as if it happened to a Japanese company. The attack is a reminder of the hack of Sony’s PlayStation Network in the spring of 2011, but its impact can be most accurately compared to the cyber incident that affected Mitsubishi Heavy Industries (MHI), Japan’s biggest military contractor, in late 2011. That breach led to the large-scale theft of high-tech military information. Since the MHI case, many Japanese companies have become sensitized to the possible fallout of cyberattacks, particularly as nation states have begun to target private companies. This rarely happened in the Cold War era, but now seems a defining characteristic of cyberconflict. Many Japanese companies and government ministries have been victimized in various ways and some individuals have been mistakenly arrested due to faulty attribution. While this offers little comfort to Sony, it may be better for regional stability if the Democratic People’s Republic of Korea (DPRK) becomes more reliant on cyber tools instead of kinetic attacks to promote its interests. Despite their harsh rhetoric, the DPRK leadership tends to be cautious in calculating the impact of their actions when they attack or criticize foreign countries. Launching a kinetic attack is much riskier and much more likely to result in severe repercussions. The plausible deniability of cyberattacks and the use of proxies is an ideal alternative for Pyongyang. In some cultures, particularly in the DPRK and China, information used to criticize or make fun of political leaders can be regarded as an especially threatening attack against authority and regime stability. Beijing, Pyongyang, and others consider criticism and satire as "information attacks" and often use the term interchangeably with "cyberattacks" when the information attacks are conveyed online. Through this lens, it is somewhat understandable that the DPRK used cyberattacks to protest a movie, the central plot of which is the assassination of Kim Jong-un, the supreme leader. The plots of Hollywood movies often revolve around the attempted assassination of American presidents, but it is quite rare for a movie to actually show the killing of a another country’s sitting or former president. There seems little doubt that U.S. citizens would criticize a DPRK made film depicting the killing of President Obama, even if the movie would be protected as free speech in the United States. Sony could have been more sensitive to the potential North Korean reaction, but it certainly does not justify the use of cyberattacks to disrupt the release of a movie. How will Japan react? Even before the Sony hack became public, the Japanese Parliament was taking steps to reinforce cybersecurity. The National Diet passed the "Cybersecurity Basic Law" in November 2014. In the Japanese system, a basic law usually sets the country’s long-term strategic goal in a certain policy area. By passing the Cybersecurity Basic Law, the National Information Security Council acquired more authorities and strengthened its legal basis to oversee cybersecurity issues in Japan. The former Information Security Policy Council, which set cybersecurity policies across government and reported to Japan’s chief bureaucrat, was renamed the Cybersecurity Strategic Headquarters, and now cooperates closely with the new Japanese National Security Council, chaired by the Japanese prime minister. The headquarters’ mandate is broad, covering the setting of Japan’s strategic goals for cyberspace, protecting critical infrastructure, raising public awareness, research and development, and information sharing. There is an international component of the Cybersecurity Basic Law. Article 23 requires Japan to contribute to international arrangements that improve its cybersecurity. Japan has held a series of cybersecurity meetings with Association of Southeast Asian Nations and held its first meeting with the European Union in October 2014. The Sony hack came at a timely moment and will test Japan’s new responsibilities. However, taking a hard line attitude towards the DPRK may complicate the ongoing bilateral challenges between Japan and the DPRK, including the discussion about the abduction of Japanese citizens. This, however, may not be how it plays out. The DPRK has traditionally sought to improve relations with Japan when tensions rise with the United States, with the hope that Japan can insulate North Korea from U.S. pressure. The United States and Japan will need to work closely to maintain a delicate balance and to make sure Pyongyang does not open up space between their positions. As Tokyo looks to host the Olympic Games in 2020, organizers will need to be mindful of the impact that DPRK cyberattacks could have. Strengthening U.S.-Japanese cooperation in this area will not only provide a united front against the DRPK in the short term, but also seek to prepare for any contingencies that might occur during the Tokyo olympics.

Post by Guest Blogger for Net Politics December 23, 2014 Net Politics

Cybersecurity

Will China Pressure North Korea on the Sony Hack?

The United States has reportedly asked the Chinese government for help with North Korea and cyberattacks. Most of North Korea’s Internet traffic passes through China, and the New York Times quotes one administration official as saying,“What we are looking for is a blocking action, something that would cripple their efforts to carry out attacks.” There are numerous reasons to be skeptical that Beijing is going to be forthcoming with this request. Discussions on cyber between the United States and China have been difficult ever since the United States indicted five People’s Liberation Army officers for hacking into U.S. companies. In October, Foreign Minister Yang Jiechi told Secretary of State John Kerry that Beijing was waiting for the United States to "take positive actions so as to create conditions for the restart of dialogue and cooperation between the two countries." That positive action—probably something on the indictments—has not happened. While China does not approve of North Korean actions, it is sympathetic to the argument that The Interview was insulting to North Korea. The Global Times said the movie was nothing for Hollywood or American society to be proud of, a result of "senseless cultural arrogance." Moreover, there is a long history of Beijing going easier on Pyongyang than the United States would like, even if some Chinese analysts have grown tired of supporting the Kim Jong-un regime. Today’s press reports reinforce the sense that China will not do much, though Bloomberg is reporting that China will start its own investigation of the hack. Officials stated that China opposed cyberattacks and would engage in "constructive cooperation" with the international community, but said there was no proof North Korea was behind the Sony attacks. Foreign Ministry spokeswoman Hua Chunying said, "We need sufficient evidence before drawing any conclusion." There is, however, a small glimmer of hope. In her statement, Hua stressed twice that China opposed "cyberattacks launched by any country or individual by using facilities beyond its own national borders against a third country." This is most likely a reference to the North Korean hackers reportedly operating from China (here are pictures of the Chilbosan hotel in Shenyang where members of Unit 121, North Korea’s computer network operations team, are supposedly based). One of the newspapers owned by the People’s Daily ran an article today quoting a South Korean professor as saying Pyongyang had approximately one thousand hackers in China, so the Chinese press at least is not categorically denying their existence. In June 2013, China signed on to the report from the third UN Group of Government Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security. The report affirms that “international law, and in particular, the United Nations Charter” applies to cyberspace and that states must do something about cyberattacks that come from within their territory. It also affirms, "States should seek to ensure that their territories are not used by non-State actors for unlawful use of ICTs [information and communication technologies]." Ever since the Chinese signed off on the GGE report, they have said little about international responsibility and much about national sovereignty. But the statement from the Foreign Ministry suggests some sensitivity to the norm and thus how Washington might structure its argument to Beijing. And while China not likely to close the Chilbosan anytime soon, they may have signaled to North Korea that it is a possibility.

Post by Adam Segal December 22, 2014 Net Politics